Question about OpenSSH CPE

Hi all,

I noticed that GVM reports product CPE in a wrong format when it is a patch version.

For example, following is the CPE that GVM built for OpenSSH Server 8.9p1: cpe:/a:openbsd:openssh:8.9p1. The correct CPE should be cpe:/a:openbsd:openssh:8.9:p1.


You messing up Patch and Portable, there is OpenSSH 8.9 and OpenSSH 8.9p1 (Portable) that is not a patch level.


Yeah. I’m very sorry for my misunderstanding. I searched the CPE in NVD - Search ( but could not find it, then I rushed to conclude that the CPE format is wrong. Now I can find information about OpenSSH Portable here: OpenSSH: Portable Release. Thank you for explaining.

1 Like

Strange enough it seems that the NVD had switched from using the “correct” CPE cpe:/a:openbsd:openssh:4.4p1 to using cpe:/a:openbsd:openssh:4.4:p1 like seen in e.g.:

@panajo1017 You might want to contact the NVD via to get this corrected back so that the p1 isn’t added to the Update Component part of the CPE because p1 is actually not an update / patch as we have now concluded.

1 Like